Recovering from a UNIX System Compromise


Prepare for a UNIX System Compromise BEFORE it happens.  A method of Recovery should be a part of your Security Policy. 

 Before you get started
   1. Consult your security policy
   2. If you do not have a security policy
         a. Consult with management
         b. Consult with your legal counsel
         c. Contact law enforcement agencies
         d. Notify others within your organization
   3. Obtain a Forensics Kit
   4. Document all of the steps you take in recovering

 Regain control
   1. Disconnect compromised system(s) from the network
   2. Copy an image of the compromised system(s)